Abstract Dukov Dmitry User Activity Monitoring

Main Page (RUS) | Main Page (UKR) | Main Page (ENG) | DonNTU> Master's portal

DonNTU> Master's portal> Abstract | Links | Report about the search | Individual task

russian

Dukov Dmitry

Leader of work: Shevchenko Olga Georgievna

Software development for invisible monitoring user activity, using rootkits technologies

Abstract

Introduction

Information is the most valuable resource nowadays, especially when we are talking about business area of human activity, so it is natural that people try to hide a strategically important information from other people, who are may be interested in it. Taking into account that personal computers spreads on the different areas of human activity more and more, and in most cases they are connected between each other and globally to Internet, we can make a conclusion that personal computer can be used as a tool for confidential information interchange.

Topicality

One of the ways to control an information flow is to create an application, which main purpose is to monitor user activity (means keystrokes, screen shots). Such kind of application is very useful at offices, where a lot of PC operators works. It can help to watch after operators to save the privacy of the information and to improve maybe productivity of labor. Taking into account skills of nowadays users, the application must act hidden, difficult to be found by user.

Tasks and Purposes

The main purpose of project is to create an application, which will monitor user activity secretly. Some tasks are to be solved to get to the main purpose. They are:

classifying methods of hiding
researching user-land methods
kernel methods ofhiding research
selection the most effective way to hide
improving the most effective way to get more invisible
development of software with monitoring functions

Topic review

The topic of rootkits is discussed a lot by security specialists and by their opponents. The most valuables works on this topic are works of ("Hooking Windows API", "Invisibility on NT boxes"), ("Simple Hooking of Functions not Exported by Ntoskrnl.exe"), ("Process Invincibility") and others. New ways of hiding, tricking the security system of Windows XP are found often nowadays and there is still place for creativity present.

The bases for research are the numerous articles, which can be found on rootkits.com.

Results

The application, which is to be created, consists of three logical parts. They are:

Module of user activity harvesting (keystrokes and screen shots)
Module of network interaction
Module of application activity hiding (main subject of research in this MPhil)

By the level of action, the application is also consists of two parts:

Drivers, which are to act at ring-0(x86) protection level
Executable file and dynamic-link libraries, which are to act at ring-3 protection level

The keystrokes, to act more accurate, are gathered using driver. Gathering screen shots on ring-0 protection level is rather complicated task and it gives no advantage in comparing with ring-3 method, so it (ring-3 method) will be used. Network interaction will be done using ring-3 possibilities. Methods of hiding are researching now. They can be divided into two groups by operating level:

ring-3 (userland) methods
ring-0 (kernel) methods

The most popular of ring-3 methods are:

system library patch (almost not in use nowadays, because not transportable to other versions of Windows in most cases)
import table patch (also less is used nowadays, because of not being able to hook functions, called dynamically, using LoadLibrary/GetProAddress method)
functions splicing (means changing first 5 bytes on unconditional jump command with 4-bytes offset to our function; this is the most popular method)

The most popular of ring-0 methods are:

DKOM - Direct Kernel Objects Manipulating (EPROCESS structure list for hiding specified process, for example)
Kernel functions splicing (the same advantages as in the ring-3; one of the most popular methods)
Adding additional filtering driver to the stack of devices to intercept all IRP (Input/Output Request Packet) for changing them or changing the information, they return.
Hooking SSDT (System Services Dispatch Table)

Animation. (1 repeat; 28 frames)
Scheme of function splicing
(Refresh page to view again)

On this stage of developing dynamic-linked library is created for hiding application activity, using ring-3 methods. Hiding is provided because of NtQuerySystemInformation function splicing and modifying its results of work, and NtQueryDirectoryInformation function splicing with the same model of behavior. Also on this stage it is come out that these methods are not effective and the application can be discovered. So now methods of ring-0 are researched and tested. The driver was implemented, which operated using DKOM with EPROCESS list for hiding specified process. The filtering driver was created for intercepting IRP to all logical disks in the system for hiding specialized files or directories. Now work is going on with research of SwapContext function and protection it from splicing, for hiding integrity. The idea of new method of protection is being implemented now, and will be tested.

As the result of work an application is created, which purpose is to monitor user activity secretly. The most effective method will be discovered and implemented. This application is to be introduced into some firms for operators spying.

Sources

Print sources

Колисниченко Д. Н. "Rootkits под Windows" // НиТ СПб 2006 г.
Хоглунд Г. Батлер Д. "Руткиты. Внедрение в ядро Windows" // Addison-Wesley, Питер 2007 г.

Other sources

http://www.wasm.ru russian language site, devoted to system programming
http://rootkit.com resource about rootkits
http://rootkits.ru russian resource about rootkits